Overview
On Tuesday February 7, 2023, the OpenSSL Project Team announced that several versions of OpenSSL contain fixes for vulnerabilities, including one high severity one.
OpenSSL is a ubiquitous cryptography library used in many operating systems and applications.
Patches for OpenSSL
The fixes are included in the following releases:
-
OpenSSL 1.0.2zg (premium support customers only)
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Note: as this is an ongoing investigation product status will change as more information becomes available.
Product or Service |
Using a vulnerable version of OpenSSL |
Exploitability assessment for HIGH rated vulnerabilities (CVE-2023-0286) |
Fix/mitigation |
---|---|---|---|
Cloud Optix |
No |
N/A |
|
PureMessage |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
None |
SG UTM (all versions) |
Yes |
Highly unlikely - trusted CRLs are exclusively read from disk |
Patch development underway |
Sophos Endpoint protection (Windows/Mac/Linux) |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway
|
Sophos Endpoint Protection - Legacy (Linux/SVE) | Yes | Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used | None |
Sophos Enterprise Console (SEC) |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
None |
Sophos Firewall (all versions) |
Yes |
Highly unlikely - trusted CRLs are exclusively read from disk |
Patch development underway |
Sophos Central | Yes | Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used | Patch roll-out complete before March 31, 2023 |
Sophos Connect client |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Under review |
Sophos Email | Yes | Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used | Patch roll-out complete before March 31, 2023 |
Sophos Email Appliance | Yes | Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used | None |
Sophos Home |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway |
Sophos RED |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway |
Sophos Wireless |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway |
Sophos Web Appliance |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
None |
Sophos SASI (AntiSpam) |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway |
Sophos Mobile |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway |
Sophos Mobile EAS Proxy |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway |
SophosLabs Intelix |
Yes |
Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used |
Patch development underway |
Other products and services
Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.
Sophos product protections
Sophos is actively monitoring for threat activity and detection opportunities relating to this vulnerability.
Related Information
-
https://www.openssl.org/policies/general/security-policy.html
-
https://nakedsecurity.sophos.com/2023/02/08/openssl-fixes-high-severity-data-stealing-bug-patch-now/
Change Log
-
February 14, 2023: Initial version
-
February 20, 2023:
-
Added: Sophos Endpoint Protection - Legacy (Linux/SVE), Sophos Central, Sophos Email, Sophos Email Appliance
-
Updated: Sophos Endpoint protection (Windows/Mac/Linux)
-